A new paper (.pdf) highlights the dangers of many free mobile VPN apps. Researchers studied 283 free Android VPN apps available through the Google Play Store. Many of these are very popular, and have been rated highly by their users. Alarmingly:
- 75% of the apps tested use third-party tracking libraries.
- 82% unnecessarily request permissions to access sensitive data. This includes user accounts and text messages.
- 38% contain some form of malware (adware 43%, trojan 29%, malvertising 17%, riskware 6% and spyware 5%).
- 18% do not even encrypt users’ data.
- 18% provide no information on who is hosting the VPN servers.
- 16% forward traffic through other users’ network bandwidth.
- 84% expose the user’s real IP address via IPv6 DNS leaks.
- 16% deploy non-transparent proxies that modify users' HTTP traffic. This includes injecting JavaScript code for advertising and tracking purposes.
- Four of the analysed apps perform TLS interception. Although three of these claim this is in order to perform traffic acceleration, this allows them to selectively intercept data sent to secure HTTPS such as banks, email services, e-commerce sites, and online tax return websites.
These figures are frankly shocking. All the more so because people use these apps in the belief that they will improve their online privacy and security!
DNS Resolvers
The researchers also found that,
“Notably, 55% of the free apps (and 60% of premium apps) redirect user’s DNS queries to Google DNS whereas 7% of free and 10% of premium VPN apps forward DNS traffic to their own DNS resolvers.”
It is not clear, however, whether DNS requests sent to Google or other third party DNS resolvers are proxied by the VPN providers. If so, the issue is not as problematic as it may first appear, as the identity of the person making the DNS request will be hidden from Google et al.
Of course, if the DNS requests are not being proxied, and are instead going direct to Google and the like, this is terrible news for privacy.
VPN Apps Are a Burgeoning Market, Ripe for Exploitation
Governments across the world are stepping up warrantless, blanket surveillance of their populations. Online companies scan our emails and track us as we surf the web in order to target ever more personalized ads at our browser windows. Copyright trolls track downloaders in order to threaten them into paying damage reparations.
Internet users are becoming increasingly aware of all this and, quite understandably, don’t like it. This has fuelled a huge rise of interest in VPN technology.
In theory, this is great, as VPNs (and VPN apps) can indeed help to counter these problems. However, this surge of interest in VPNs has also led to an increase in cowboy outfits keen to exploit this new trend.
Most Android Users Pick Apps Based on Two Factors
The first is the popularity of apps and the star rating given to them by other users on the Play Store. These indicators simply cannot be trusted, however, because the people downloading the apps and leaving reviews do not have the technical competence to assess the privacy and security implications of using these apps.
This explains why, despite the paper’s damning findings when analyzing these apps, 37% of them have more than 500,000 installs, and 25% of them receive at least a four-star rating from users!
Here we can clearly see that app reviewers on the Play Store are much more concerned about bugs and battery life than with privacy and security issues.
The second criteria is price, and most people’s favorite price by far is FREE! That's all well and good, but running a VPN service is a costly and time consuming business. So no-one, and I mean no-one, is going to do it for free.
If you are not paying for a service in hard currency then it is making money from you in some other way. “There ain’t no such thing as a free lunch,” and, “if you aren’t paying for a product then you are the product” are both appropriate adages here.
So How Can I Stay Safe?
As long as you understand their limitations, VPN apps are still a great way to improve your privacy and security when using an Android device. The important thing is to choose a good app from a reputable VPN provider. This is admittedly easier said than done. The following advice should help, however.
1. Avoid free VPN apps. As discussed above, if you are not paying for the product then you are the product. Reputable commercial VPN services can be had for under $5 per month.
2. If you really must use a free VPN app, understand how the service finances itself. Reputable free VPN services do exist, but these are invariably very restricted. They are offered in the hope of enticing you to pay for an unrestricted premium service. This might be annoying, but it is, at least, transparent. Please see our list of recommended free VPN services.
3. Check out provider reviews on ProPrivacy.com (of course!). If a provider is, in general, well regarded, then its app is likely to be secure.
4. Avoid the myriad otherwise unheard-of, app-only, VPN services out there. They are most probably cowboys.
5. Use the OpenVPN for Android app by Arne Schwabe instead of custom VPN apps. This open source VPN client is officially recommend by the OpenVPN project. It is very secure and includes IPV4, IPv6, and WebRTC leak protection. It can even be configured to act as a kill switch.
The app uses regular OpenVPN configuration files, and so can be used with any regular commercial VPN service that offers OpenVPN. Note that although the app is free to download, you will need to sign up for a VPN service in order to use it (unless you run your own VPN server).
You will still need to trust your VPN provider, of course, but at least this way you can be 100% sure that the app you are using is secure.
Mobile VPN Apps: Conclusion
The researchers focused exclusively on Android apps, and free ones at that (although some offered in-app purchases for premium products). There some aspects about the way Android works that make it very easy to create rogue Android apps, but many of the problems discovered will almost certainly exist in iOS apps as well.
The best way to avoid VPN apps that compromise, rather than enhance, your online privacy and security is to do some research, and only use apps from reputable, paid-for VPN provider. As the old Roman saying goes, caveat emptor - it is the buyer's responsibility to check the quality and suitability of a product before buying it. This applies even more when the cost is not obvious.